Categories

Archives

Right Time, Right Quote

Posted Monday, 11 December 2017

Due to my Twitter profile, I was lucky enough to get on the radar of a journalist who reached out me to ask what I knew about Troy Hunt. That ended up in the New York Times, which was sort of an amazing moment as it’s the New York Times! Now to be fair it was actually an Associate Press article which was scooped up. I’ll take it as a win. Here is the article in all Troy’s glory: https://www.nytimes.com/aponline/2017/12/05/us/ap-us-youve-been-hacked-researcher.html

“Process memory is such a popular attack vector, because traditional and even more advanced Anti-malware solutions are generally focused on file based attacks – not process “hijacks”. When I think about the attack surface it makes sense to spawn or hide in an existing process on an end point – that’s something very hard to see. A new binary downloaded onto an end-endpoint which then makes an outbound network call to some place sketchy, that is pretty easy to detect. Process hijacks where the malicious code is inserted directly into the memory of an existing running program is a deadly attack that can sit in memory on machines that don’t reboot very often (like servers). This is the now infamous “file-less malware” recently seen talked about by vendors and InfoSec press.

Why this attack vector? Well maybe we can blame the Australians in part. The DSD advocate that Application White Listing (included in the modern Windows Operating systems called “App Locker”) is the most effective security control #1 on their list of 35. Clearly, it may be super effective in stopping unauthorized Trojan’s and payloads from running on end points, so pushing code into memory with an exploit, maybe a cybercriminal response to the increasing popularity of a “white list” malware technique.”

I’ve got a pretty cool, peer reviewed article on hunting an APT group and some quotes on the cybercrime economy in the Sunday Times coming soon. Also, mad props to Eric Anthony (follow him on Twitter here: https://twitter.com/EricAnthonyMSP for resurrecting some old video on Patch Management: https://www.youtube.com/watch?v=th8iA15xXBI That sweater was probably left to die at Bar Napoli.